Whether in an office, a superstore, or an airport, the best IT security pros are always looking for vulnerabilities

InfoWorld|Jun 7, 2011

Career advisers often ask me what trait would most help an IT security pro excel. My answer is always the same: Think like a hacker.

I don't mean in the sense of a black hat hacker who engages in illegal practices, but true computer security pros are always hacking systems, all the time, at least mentally. They have the mind-set to automatically think of ways to break into almost any system they come across. By looking at systems through the eyes of a hacker, you can better identify weaknesses and create defenses. The best antihackers are hackers themselves.

I know I can't help coming up with ways to crack any and all systems in my path. Last week, I was shopping at the local superstore. Just as I was heading out, someone came in with a return, and the antitheft detectors went off. The person returning the item was redirected to the nearby customer service area while I was waved on with an apology. Instantly I thought, How do they know I'm not stealing something? The answer: They didn't know.

My hacker mind went into overdrive. If I was a professional criminal, I could get an accomplice to wait until I was ready to exit the store with my concealed item. The accomplice could hold a security-tagged item out in the open. Just as I try to exit the store, he or she would walk next to the antitheft device. The accomplice wouldn't even have to attempt to exit the store; he or she could just stand by the detector with the item and wave it to the store's security people until they walk away.

The antitheft detector has a weak link in that it can't differentiate between a single possible theft and multiple thefts. It doesn't tell the store security personnel who has the item or where it is located. That part relies upon human intuition, an additional weak link. It doesn't help that the sensors are going off all the time for mostly false-positive events. I'm sure nearly every store's staff is almost trained to ignore them unless someone is blatantly stealing an item. By identifying those weaknesses with a hacker mentaility, one could devise plans to fix the security holes. In this instance, I would say that employees need to be trained to ask all nearby customers to separately walk through the alarm zone again when a warning buzzer sounds, so they can confirm who set off the alarm.

I've also figured out how to "hack" the airport's security scheme to sneak plastic explosives onto an airplane: Buy and modify a wheelchair that is marked and aged identically to a wheelchair at the airport. You might have to remember to add a security identifier, RFID tag, or transponder if you get to an airport with that level of sophistication. Conceal the plastic explosives inside the wheelchair and help your knowing or unknowing accomplice, perhaps an elderly grandmother, into the airport via one of the nearby remote parking lots.

TSA is doing a better job at inspecting wheelchairs and other equipment that enters the security checkpoints, but the staff doesn't X-ray, check for bombs, or perform anything other than a good visual inspection. Once past TSA, let your grandmother go to the bathroom and disassemble the forged carrier. Voila! The bomb is past TSA and ready to bring onto an airplane.

Any readers freaking out that I've just told terrorists how to do this can relax. I've written about this several times in the past with no fake wheelchair security incidents to report and even sent my scheme to the TSA when it was first formed. Plus, you can do this sort of thing with a dozens other common pieces of equipment at an airport.

Also, having used my hacker mind-set to come up with vulnerabilities in the airport security systems, I was able to devise defenses. Airports could use wheelchairs built out of transparent materials so that nothing can be hidden within the tubes. They could permit chairs to be used only by trusted employees and only within designated areas, perhaps transferring the assisted person from their chair to a "trusted" chair as they go past the TSA zone.

Of course, let's not forget computers and computer software. I was overclocking CPUs as soon as I learned I could do it. Every new piece of software I see -- I don't care what it is -- I'm thinking about how it could be hacked or used to hack. For some software features, you can see the vulnerabilities from a mile away, such as when Adobe added JavaScript support to Adobe Acrobat Reader. Others, such as the Java language, which was built with security considered from the very start, were harder to spot. To this day, I'm amazed Java has suffered hundreds of exploits and is still the most popular successfully exploited program today -- so much for good intentions.

On the computer-security front, defenders need to think like attackers, then help implement systems that defend against them. This is the type of thinking that led to private/public key cryptography, challenge-response authentication protocols, and antivirus scanners. The world has enough attackers. We need more white hat hackers that think maliciously but act magnanimously for the common good.

I think all good computer security people hack everything they see. Of course, I always hope that my comrades use their powers for good and not evil. But when I'm interviewing a new job candidate and they tell me they pick locks or hack wireless cameras, I usually realize I have a winning job candidate. It takes one to know one.